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Introduction 


General C ontrols 


Report Summary 


We performed an information system audit of M ontana State 
University’s Banner system. Banner is acommercially developed 
computer application used to administer campus operations. We 
reviewed application controls over the Banner Financial Aid, Human 
Resource, Student and Finance modules, and general controls over 
the University computer environment. 


Background information, audit objectives, and audit scope are 
discussed in Chapter |. Further discussion of the audit issues 
summarized below is included in Chapters II and III. Overall, we 
found that Banner processes information as intended. However, we 
found weaknesses in access security controls and identified outdated 
computing policies. We also identified control weaknesses related to 
payroll data entry at MSU -Billings and invoice data entry at 

MSU -Bozeman. 


The Banner system is a relational database. In a relational database, 
data is contained in a number of tables which are linked to each 
other by common data elements within each table. Database tables 
were developed for each campus. MSU-Bozeman is responsible for 
maintaining the Banner system and support services. Banner 
security and user access accounts for M SU -Bozeman, M SU -Billings, 
M SU -Great Falls College of Technology, and M SU-Northern is 
administered by all of the campuses. We reviewed the following 
general control areas: Banner access security, database 
administrator access to Banner production data, payroll access, and 
computing policy and procedures manuals. Audit issues are 
summarized below. 


< Weselected critical forms and processes within each of the 
modules and reviewed the users with access to change data. 
We identified employees from each campus with inappropriate 
change access to the selected forms and processes. The users 
we recommended M SU restrict or remove include 
programmers, users that no longer work for MSU or have 
changed job positions with MSU, and users assigned to Banner 
classes which grant them more access than needed for their job 
duties. 


Page S-1 


Report Summary 


Banner Application 
Controls 


Page S-2 


< Database administrators (DBAs) in Bozeman maintain the 
database tables which hold Banner data for all of the campuses. 
We identified shared user IDs that were created so three DBAs 
can log on to the system as users to research processing 
problems on Banner. The shared IDs allow access to critical 
Banner forms and processes that allow them to change, add or 
delete accounting and payroll data. 


< MSU-Bozeman’s Facilities Services department uses a separate 
software system to record and feed payroll data to the Banner 
Human Resources System (HRS). Personnel indicated Banner 
HRS does not accommodate F acilities Services union or internal 
payroll policies. Asaresult, for every payroll processed there 
are discrepancies between HRS and Facilities Services leave 
balances that must be corrected. To efficiently resolve the 
discrepancies, a Facilities Service’s information systems 
employee was given access to make adjustments to employee 
leave balances in Banner HRS for the Facilities Services 
department, as well as for all MSU campuses. 


< Wereviewed the Computing Policy M anual to determine if 
policies are in place to outline computing management and 
university security requirements, and whether M SU is in 
compliance with the policies. The Computing Policy M anual is 
outdated, and many of the policies listed do not correspond with 
the current computing environment. Without current policies 
management is not able to monitor compliance and employees 
do not have guidelines to follow. 


Application controls are specific to a given computer application or a 
set of programs that accomplish a specific function. We evaluated 
application controls specific to Banner modules within Banner 
Finance, such as Accounts Receivable and Accounts Payable, and also 
the Financial Aid, HRS, and Student Systems. Audit issues are 
summarized below. 


< Vendor invoice information is entered in Banner based on 
documentation received from departments or directly from the 
vendor. Banner contains a system edit which will not allow the 
entry of two identical numbers in the invoice number field. 
However, Bozeman personnel do not record the invoice number 
in the designated Banner field. Instead, they record the invoice 
number in a text field associated with the transaction where there 
are no validation edits in place to detect whether the number has 
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already been recorded. We reviewed five duplicate payments that 
were corrected within a two-week period. Procedures should be 
in place to ensure payment is issued based on original invoice, 
and data is recorded accurately and correctly, using the system 
functionality. 


Each campus is responsible for entering and processing its own 
payroll. In some instances, MSU-Billings enters the total amount 
paid as the employee's hourly wage for a pay period instead of 
entering the hours worked and the corresponding hourly rate (i.e. 
employees are recorded on Banner as working one hour at an 
hourly wage of $208). Employee time worked should be 
accurately recorded on time sheets and in Banner. Summarizing 
time worked does not provide the support needed to reconcile 
payroll at a detail level, and makes it more difficult for personnel 
to identify errors in wages. 
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System Background 


Chapter I - Introduction 


We performed an information system audit of M ontana State 
University’s Banner2000 (Banner) system. Banner is a 
commercially developed computer application used to administer 
campus operations. The Banner System is a relational database. In 
a relational database, data is contained in a number of tables which 
are linked to each other by common data elements within each table. 
Database tables were developed for each of the Bozeman, Great 
Falls, Havre, and Billings campuses. MSU-Bozeman is responsible 
for maintaining the Banner system and support services. Banner 
security and user access accounts is administered by all of the 
campuses. 


The Banner System is made up of many interrelated components. 
M SU -Bozeman and the affiliated campuses use four Banner 
components. 


The Banner Finance System (Finance) includes the General 
Ledger, Accounts Receivable, Accounts Payable, Purchasing, Fixed 
Assets and Research Accounting modules. The Finance system 
allows MSU to track, maintain, and process its financial 
information. The General Ledger feeds financial information to the 
Statewide Accounting, Budgeting, and Human Resource System 
(SABHRS). 


The Banner Human Resource System (HRS) includes information 
needed to administer the University’s human resources, such as 
employment and compensation; position control and staffing; 
applicant tracking, requisitioning, and processing; EEO, W-2, and 
1099-R reporting; payroll processing; and administration of benefits 
and leave. 


The Banner Financial Aid System (FAS) handles the information 
processing activities of the Financial Aid Office. Banner performs 
calculations to support budgeting, student needs analysis, and benefit 
packaging. 


The Banner Student System (Student) maintains information related 


to the student population, such as scheduling, registration, 
calculating tuition and fees, accounts receivable, and academic 
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history. The Web for Students module was implemented in 
November 2000 and allows students and faculty to access 
information such as student registration, financial aid and class 
schedules via the web. 


Within each of the four components are integrated modules each 
campus chose to implement. 


This report is organized into three chapters. Chapter | provides an 
introduction and background on Banner. Chapter || addresses 
general controls over the information system processing 
environment. Chapter I1l documents concerns relating to application 
controls or data processed through the system. 


The Banner system is used to process and report M SU's financial 
and management data. The objective of our audit included 
identifying and testing selected processes and documenting how the 
different Banner modules are used by each campus. Our objective is 
to provide assurances over identified controls and to share our 
understanding of system processes and controls with others having a 
need for this information. The information gathered during the audit 
is shared with financial-compliance audit staff to consider during 
their audit work. 


The objectives of this audit were to: 


1. Follow-up and determine implementation status of 
recommendations from our MSU Banner2000 System 
(OOD P-04) audit issued in M arch 2000. 


2. Obtain an understanding of how each campus is using Banner 
modules. 


3. Evaluate system access controls over financial data and system 
processes. 


4. Evaluate specific input, processing and output controls intended 
to help ensure data accuracy in Banner and SABHRS. 


5. Evaluate general controls to ensure physical security of system 
hardware, system access is controlled, and that procedures and 


Audit Scope and 
M ethodology 


Compliance 
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policies are in place to control and protect MSU computing 
Operations. 


The audit was conducted in accordance with governmental auditing 
standards published by the United States General Accounting Office. 
We evaluated controls using criteria established by the AICPA and 
the information technology industry. We reviewed general controls 
over M SU -Bozeman’s computing environment and application 
controls over selected Banner modules. 


We gathered information regarding the modules implemented by the 
MSU campuses. Audit staff spent time at each campus to obtain an 
understanding of how each one uses the different Banner 
components. We interviewed personnel, observed personnel 
perform job duties, and reviewed documentation related to 
processing of financial and human resource information, and 
reviewed selected data tables for content. We evaluated controls 
over employee access to the system and data to determine 
appropriateness based on the job duties assigned. 


We audited system processing to assess compliance with certain state 
and federal laws. We verified tax withholding rates on Banner agree 
with state and federal rates and retirement withholding rates comply 
with state law. We verified sick and annual leave are accrued at 
rates set by Board of Regent policies. We determined MSU is in 
compliance with laws applicable to the processing of payroll as 
tested. 


We also verified that student registration fees charged through 
Banner are in compliance with fees established by the Board of 
Regents. We determined that Banner assesses student fees per credit 
accurately based on the approved Board of Regent fee schedule. 
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In conclusion, we determined that overall, Banner processes 
information as intended. However, we identified weaknesses in 
access security controls over the Banner system and identified 
outdated computing policies. We also identified control weaknesses 
related to payroll data entry at M SU -Billings and invoice data entry 
at MSU-Bozeman. These issues are discussed in the following 
chapters. 


Our previous audit report (MSU Banner2000 System, 00DP-04) 
contained seven recommendations. MSU-Bozeman implemented 
three, partially implemented three, and one recommendation is not 
implemented. 


We recommended M SU assign employees system access that is 
appropriate based on their job duties. Access to some of the system 
information was changed appropriately, but we identified employees 
who still have inappropriate change access. 


We also recommended M SU separate access to incompatible payroll 
processing functions. MSU removed access so employees who 
establish new employee records and enter time sheet information do 
not have the ability to process payroll and print checks. However, 
employees that process payroll and print checks still have access to 
establish new employees and enter time sheet information. 
Recommendation #1 on page 10, addresses employees who should 
have change access removed. 


We recommended M SU establish written policies over payroll input, 
authorization, and reconciliation procedures. MSU-Bozeman 
documented procedures for the central human resource employees, 
but have not completed policies specific to department authorization 
and reconciliation procedures. MSU is working to complete policies 
and procedures specific to the department payroll responsibilities. 
The progress of this documentation will be reviewed during the next 
biannual audit, and we make no further recommendation at this 
time. 


Recommendation Not 
Implemented 
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We recommended M SU restrict employee access among the four 
campuses or develop compensating controls to monitor access. The 
Banner HR and Finance Systems share data from all four campuses. 
An MSU-Bozeman employee with access to change employment 
benefits has the ability to change benefits for any of the employees at 
the Billings, Havre, or Great Falls campuses. The Banner access 
restricts employees to certain types of transactions, but does not 
distinguish between campuses. In response to our previous 
recommendation, university personnel stated, “...if implemented, 
would put MSU in direct opposition with the mandates and charges 
from the Board of Regents and the Commissioner of Higher 
Education (CHE).” We contacted CHE and are told that the 
directive is for acommon chart of accounts, not shared access 
among campuses. 


The Banner software provides the capability to restrict user access to 
data within particular areas of the system through Banner 
organizational security. MSU personnel state that it would be too 
labor intensive to maintain this descriptive level of access for all 
employees at each campus. M SU has not implemented 
compensating controls that specifically address this recommendation. 
The current status of reconciliation procedures does not provide 
controls over changes to data. 


The shared access increases M SU's exposure to unauthorized 
changes of data. We have reported this concern to MSU and they 
have made the decision that the costs of implementing this 
recommendation outweigh the benefits. We will continue to review 
this security weakness in the next MSU Banner system audit. 
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A general control review provides information about the 
environment in which the computer systems operate and includes an 
evaluation of controls over the computer application. Access 
controls provide electronic safeguards designed to protect computer 
systems and data. Proper access controls help prevent and detect 
deliberate or accidental errors caused by improper use or 
manipulation of data, programs, and/or computer resources. 
Appropriate access based on job duties prevents users from 
inadvertently or willfully executing programs or changing data 
unrelated to their job. 


We reviewed access controls relating to the different layers of the 
computing environment. To effectively control access to Banner 
data, MSU must adequately control access to the systems that 
connect Banner users and allow them to share data. We also 
reviewed current policies to determine if MSU has documented 
policies and procedures in place to assure security of data and 
information technology resources. We toured the data processing 
center and determined physical security controls are in place over 
the M SU -Bozeman data center. This chapter discusses issues related 
to our general control review. 


The M SU -Bozeman personnel are responsible for implementing 
employee access to Banner for all four campuses; designated 
employees from each campus notify Bozeman security personnel as 
to the level of access to grant their employees. Banner has a multi- 
level security structure. Data is collected in the form of tables, such 
as student and financial data. Access levels define the tables 
available and the functions that can be performed in those tables. 
Banner forms, screens, and processes are assigned to user classes. 
Users are assigned to a class or multiple classes based on their job 
duties. 


We selected critical forms or processes within each of the modules 
and reviewed the users with the ability to change data. We 
interviewed personnel from each campus to determine which 
employees should have change access to critical forms we selected. 
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The following table summarizes users with inappropriate access to 
the forms reviewed, allowing the ability to change data. 
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Table 1 
Employees Granted Change Access 


Current Current Recommend 
Access Access Access 
Required _ Granted Removal 
Finance System: 
<Establish accounting structure 
<Change vendor information 
<Change asset information 
<Change payment information 
<Change account balance information 
<Designate whether student issued 
refund check 


Human Resource System: 

<Establish position and salary 
information 

<Allows authorization & status changes 
to position 

<Mass time entry of hours 

<Enter/change hours worked 

<Adjust leave balance information 

<Establish tax calculations 

<Define employee leave benefits 

<Process to calculate leave hours taken 

<Process to calculate earning 
deductions and taxes 


Financial Aid System: 

<Identifies requirements that must be 
met before aid disbursement 

<Maintains aid information for an 
applicant 

<Establishes rules that help determine 
eligibility for aid 

<Prioritizes funding sources 

<Change student financial aid records 


Student System: 

<Establish registration fees 

<Maintain class scheduling and waive 
class fees 


Source: Compiled by the Legislative Audit Division based on data 
from the Banner2000 System. 
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In our prior audit we identified Bozeman employees with 
inappropriate access to these forms and recommended that they be 
removed. MSU has removed some of the employee access we 
identified and are in the process of reevaluating user access. 

Because we also reviewed employee access at the affiliated campuses 
and selected additional forms to review this audit, we identified 
additional employees that should have inappropriate access removed. 
The users we recommended MSU restrict or remove include 
programmers, users that no longer work for MSU or have changed 
job positions within MSU, and users in Banner security classes 
which grant them more access than needed for their job duties. 


We did not identify questionable changes to data. However, 
inadequate security controls create the potential for unauthorized or 
inappropriate modifications. MSU personnel plan to implement 
controls to periodically review employee access and remove change 
access for employees no longer needing it to perform their job. 


Recommendation #1 
We recommend MSU ensure change access is restricted 


to only those individuals needing it in the performance 
of their jobs. 


Database administrators (DBAs) in Bozeman maintain the database 
tables which hold Banner data for all of the campuses. In our 
review of access to critical Banner forms we identified shared user 
IDs that were created so three DBAs can log on to the system as 
users to research processing problems on Banner. The shared IDs 
allow access to critical Banner forms and processes that could allow 
them to change, add or delete accounting and payroll data. 


Personnel stated they require access to research problems with 
specific Banner forms and processes during Banner upgrade 
processes. However, DBAs may not have the accounting knowledge 
necessary to make appropriate decisions on changes to financial or 


Inappropriate Payroll 
Access 
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HR data and could inadvertently make incorrect changes to the data. 
DBA access to the Banner forms should be limited to “inquiry 
only,” researching problems without becoming a user of the system. 


Industry standards recommend that system support personnel have 
unlimited access to a test database, which is a clone of the 
production environment, and have “inquiry only” access to 
production data. All problems should be resolved and tested in the 
test database, and then changes can be moved to the production 
environment. Furthermore, the shared IDs are not assigned to a 
specific person and the DBAs share the password. Therefore, there 
is no user accountability connected to data changes made with the 
ID. 


Recommendation #2 
We recommend M SU-Bozeman: 


A. Restrict DBAs Banner access to “inquiry only” in 


the production database. 


. Remove shared user IDs and passwords that allow 
access to change Banner data. 


M SU-Bozeman’s Facilities Services department uses a software 
system to record and feed payroll data to the Banner Human 
Resource System (HRS). Due to union agreements and F acilities 
Services internal payroll policies, the Facilities Services system uses 
different time recording and compensatory time processes than 
Banner HRS. As aresult, for every payroll processed there are 
discrepancies between HRS and Facilities Services leave balances 
that must be corrected. Normally, when a department identifies a 
payroll error it submits a form to Personnel and Payroll Services. 
However, to efficiently resolve the discrepancies, a Facilities 
Service's employee was given access to make adjustments to 
employee leave balances in Banner HRS. This employee is not a 
payroll officer, but an information system's employee. 
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The access granted does not restrict the Facilities Service’s employee 
to adjusting leave balances within their department, but also provides 
access to all MSU Bozeman, Billings, Great Falls, and Havre 
campus employees. MSU personnel stated that it is easier for 
Facilities Services to correct the errors themselves, than it is for 
them to fill out and submit a form for every identified error. 


The University of Montana (UM ) uses the same version of Banner 
as MSU. Wecontacted UM to determine whether union agreements 
are incorporated into the UM Banner programming, rather than 
maintaining multiple time reporting systems. According to UM, 
programming has been modified to accommodate union agreements. 


The Banner access currently granted to Facilities Services allows the 
employee more access than needed to perform the job 
responsibilities. Using one payroll reporting system that 
accommodates varying time reporting situations would alleviate 
discrepancies between systems and the need for adjustments. 


Recommendation #3 
We recommend that M SU-Bozeman: 


A. Remove Facilities Services access to the Banner 


HR data, and 


Coordinate with UM to review Banner 
programming potential to accommodate union 
agreements. 


During the audit we reviewed MSU's Computing Policy M anual to 
determine if policies are in place to outline computing management 
and security requirements, and whether M SU is in compliance with 
the policies. The Computing Policy M anual is outdated and many of 
the policies listed do not correspond with the current computing 
environment. For example, the manual references advisory 
committees that are no longer operational, system enhancement and 
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security procedures for systems no longer used by MSU, and does 
not include any mention of the current Banner systems. 


Industry standards state that adequate policies, procedures, and 
standards must exist to serve as a basis for establishing 
accountability and responsibility for an adequate level of security 
over all data and IT resources. This includes, but is not limited to, 
developing and maintaining written internal policies. Management 
should communicate its objectives to ensure user awareness of 
security and internal control policies and management directives. 
Policies provide direction and a control framework throughout an 
organization. Without current policies management is not able to 
monitor compliance and employees do not have guidelines to follow. 


M SU -Bozeman has personnel responsible for maintaining the 
security of the various system environments, but complete 
procedures have not been documented. MSU personnel stated that 
they have not had the resources available to dedicate to updating and 
maintaining the computing policies. Staff resources were occupied 
with implementing and upgrading the Banner modules, and 
converting an operating system. MSU personnel acknowledge that 
the policies are outdated and indicate they would like to implement 
policies which encompass all four campuses because the computing 
environment has become so interrelated. 


Recommendation #4 
We recommend MSU update its computing policy 


manual to ensure an adequate level of security for its 
data and information technology resources. 
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Introduction 


Duplicate Payment of 
Invoices 


A pplication controls are specific to a given computer application or a 
set of programs that accomplish a specific function. We evaluated 
application controls specific to Banner data input, processing and 
output. This chapter discusses concerns relating to Banner 
components we reviewed and how the data processes through these 
systems. The Banner Finance System is updated by modules within 
Banner Finance, such as Accounts Receivable and Accounts 
Payable, and is also updated by the FAS, HRS and Student Systems. 
In November 2000, MSU upgraded the Banner system to version 4. 
We performed selected testing on the Banner components to 
determine how data is transferred between the modules and 
ultimately updates SABHRS. 


M SU -Bozeman business office personnel process the required 
financial transactions to pay vendors. Vendor invoice information is 
entered in Banner based on documentation received from 
departments or directly from the vendor. Banner contains a system 
edit which will not allow the entry of two identical numbers in the 
invoice number field. However, Bozeman personnel do not record 
the invoice number in the designated Banner field. Instead, they 
record the invoice number in a text field associated with the 
transaction, bypassing the system edit to prevent duplicate invoice 
entry. 


Personnel stated that they do not enter invoice numbers in the 
designated field because the field is too small to record some of the 
longer invoice numbers they receive, and the system does not 
differentiate between invoices entered by different campuses. Since 
the system edit is bypassed, invoice entry can be duplicated when 
the business office receives more than one copy of an invoice. For 
example, a department and vendor may both send an invoice to the 
business office, or a vendor may send more than one statement. In 
these instances, duplicate invoices process and duplicate payments 
are mailed to vendors. 


The Bozeman business office does not have procedures in place to 
verify invoice payments are not duplicated, and rely on the 
departments or vendor to notify them when an overpayment occurs. 
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If a duplicate is identified, one of the warrants must be retrieved and 
canceled, and the system payment data must be corrected. We 
confirmed recent duplicate payments that had been identified and 
canceled. We were unable to determine the number of duplicate 
payments because of the university’s use of the text field. 
Procedures should be in place to ensure payment is issued once, 
based on original invoice, and payments are recorded accurately and 
correctly using the system functionality. Since MSU upgraded 
Banner, the invoice number field allows the entry of longer 
numbers. If invoice numbers are recorded in the designated field, 
the system will not allow duplicate invoices to be entered. 


Each campus is responsible for entering its own invoice information, 
but the Accounts Payable data tables are shared by all four 
campuses. This can create problems distinguishing invoice numbers 
between campuses. Numbering standards or procedures could be 
adopted so invoice numbers are differentiated for each campus, such 
as all Bozeman invoices starting with a“BZ.” This would improve 
controls and standardize the entry of invoice information. 


Recommendation #5 


We recommend MSU establish procedures to ensure 
invoice processing is not duplicated. 


During the audit, we visited each campus and documented controls 
and procedures related to how each campus used the different 
Banner modules. Each campus is responsible for entering and 
processing its own payroll. In some instances, M SU -Billings enters 
the total amount paid as the employee's hourly wage for a pay 
period instead of entering the hours worked and corresponding 
hourly rate. For example, we identified instances where employees 
are recorded on Banner as working one hour at an hourly wage 
ranging from $24.00 to $517.50. 


Chapter HI - Banner Application Controls 


M SU -Billings personnel explained there are several different 
circumstances when time is entered this way. Instead of recording 
hours worked for salaried positions, such as teacher assistants, the 
payroll office takes the total salary divided by the pay periods in the 
semester and uses the figure as the hourly rate (i.e. $500 salary/ 4 
pay periods = $125). Some departments only provide the payroll 
office with the gross total amount paid, and not the hours worked, 
so the total amount is recorded as an hourly wage for one hour. 
Personnel stated that it is more convenient to record the time as a 
total instead of setting up hourly wages and tracking the time 
worked. 


Employee time worked should be accurately recorded on timesheets 
and in Banner. Summarizing the time worked does not provide the 
support needed to reconcile payroll at a detail level, and makes it 
more difficult for personnel to identify errors in wages. M SU- 
Billings financial aid personnel are having difficulties reconciling 
student work study reports. The way M SU-Billings is recording 
time creates an inaccurate representation of time worked and 
bypasses system edits linked to the number of hours an employee 
works. For example, once a student exceeds their allowable work 
study hours they are classified as a department employee. 


Recommendation #6 
We recommend M SU-Billings use time reporting and 


data entry procedures which accurately reflect the 
employee’s wages and time worked. 


Page 17 


Agency Response 


Page A-1 


Page A-2 


= Office of the President 


MONTANA 211 Montana Hall 


P.O. Box 172420 


| STATE UNIVERSITY Bozeman, MT 59717-2420 
Be Telephone (406) 994-2341 
Fax (406) 994-1893 
May 18, 2001 
MAY 2 4 ong 


Mr. Scott Seacat 
Legislative Auditor 
Legislative Audit Division 
State Capital, Room 135 
P.O. Box 201705 

Helena, MT 59620-1705 


Dear Mr. Seacat: 


Please find enclosed Montana State University’s responses to the Legislative Audit 
Division’s recommendations described in the narrative segment of the April 2001 
Information Systems Audit Report. 


Montana State University appreciates the efforts put forth by the Legislative Auditors during 
the audit of the MSU Banner2000 system. We share many of the concerns outlined in the 
report, and we believe that this audit will help us to better manage our Information 
Technology resources. 


President 


Enclosure 
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Montana State University 
Response to Audit Recommendations 
Recommendation #1 


Ensure change access is restricted to only those individuals needing it in 
the performance of their jobs. 


MSU concurs. 


Inappropriate access identified by the Legislative Auditors will be 
removed by June 30, 2001. 


Recommendation #2 


Restrict DBAs Banner Access to “inquiry only” in the production 
database. 


Remove shared user ID’s and passwords that allow access to change 
Banner Data. 


MSU partially concurs. 


The Legislative Auditors recommend an ideal internal control 
environment for DBAs. However, MSU does not have the staff or 
hardware resources to conduct business efficiently within the structure 
recommended by the Legislative Auditors. It is necessary to provide DBA 
access to production data to resolve problems. 


As a compensating control, shared user Ids and passwords have been 
removed and replaced with accounts containing the usernames of the 
DBAs. This compensating control established DBA personal 
accountability and provides an audit trail of data changed within the 
Banner system. 

Recommendation #3 


Remove Facilities Services access to the Banner HR data. 


Coordinate with UM to review Banner programming potential and 
accommodate union agreements. 
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MSU partially concurs. 


One Facilities Services employee has access in Banner to modify 
employees’ accrued vacation and sick hours. Banner does not in some 
instances calculate correct amounts for union employees. Montana State 
would like to limit that employee’s access only to Facilities Services staff, 
but that is not presently feasible. It is more efficient for facilities to 
monitor the leave balances of their staff. A report that will track by user 
name changes made by the Facilities Services employee will be 
developed. 


In the conversion to Banner, MSU followed Banner consultants’ advice to 
avoid making modifications to Banner programming. Modifications are 
very expensive to create, test and maintain. Monitoring the activity of the 
Facilities Services employee with the report noted above is a more cost 
effective resolution in comparison to modifying baseline banner. 


Recommendation #4 


MSU should update its computing policy manual to ensure an adequate 
level of security for its data and information technology resources. 


MSU concurs. 


When the Banner hardware and software systems were put into 
production, most of the policies governing security of MSU's previous 
administrative systems became obsolete. This occurred not just because 
the specific hardware and software systems changed, but also because the 
scope of the administrative systems was broadened to include all four 
MSU campuses. During the Banner implementation, and in the early 
months of the new production system, a conscious decision was made to 
delay the development of new policies until IT staff and functional area 
specialists had developed a thorough understanding of the Banner 
environment. 


In the interim, ITC implemented compensating controls in the form of 
informal oral and written (mostly e-mail) agreements on operational and 
security guidelines. MSU has begun documenting new policy. 


Recommendation #5 


We recommend MSU establish procedures to ensure invoice processing is 
not duplicated. 
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MSU concurs. 


MSU-Bozeman’s Controller and Internal Auditor are working together to 
minimize the risk of duplicate payments. 


Recommendation #6 


MSU-Billings should use time reporting and data entry procedures which 
accurately reflect the employee’s wages and time worked. 


MSU partially concurs. 
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The Banner Human Resources time entry screen has a field that allows 
time to be input as an hourly or a unit rate. The field is used as an hourly 
rate for regular pay for all employees. However, it is also appropriately 
used as a unit rate for various types of earnings. For example, a salaried 
employee earning extra compensation may be paid a flat rate over one or 
many pay periods. Graduate and teaching assistants are considered 
salaried employees and are paid with a unit rate. 


We concur that there were instances when payroll staff used this field to 
pay a lump sum amount to hourly employees. The employee was paid the 
correct amount; however, using the field in this manner caused inaccurate 
work study reports. This issue has been addressed and the hourly time 
worked will be reported correctly in the future. 


